 |
Security Exposure: WebSphere Application Server with JAX-RPC WS-Security may improperly validate UsernameTokens (PK75992)
|
| | | Abstract | | JAX-RPC WS-Security may improperly validate UsernameTokens (PK75992) | | | | | | Content | Versions affected:
IBM WebSphere Application Server Versions 6.0.2.25 through 6.0.2.31, 6.1.0.15 through 6.1.0.21 (6.1.0.22 for z/OS), and 7.0.0.0 through 7.0.0.1.
This security exposure does not occur on versions 5.1, 6.0.2 through 6.0.2.24, 6.0.2.33 or later, 6.1 through 6.1.0.14, 6.1.0.23 or later, and 7.0.0.3 or later.
Problem Description:
When using WS-Security for JAX-RPC applications, the WS-Security runtime has a potential security exposure and may incorrectly validate a UsernameToken. This problem does not exist when WebSphere web services clients are used. This could allow an attacker unauthorized authentication access.
Solutions:
Applying Interim Fix APAR PK75992, or a Fix Pack containing this APAR, resolves this issue.
For IBM WebSphere Application Server for Distributed: For V7.0 through 7.0.0.1:
For V6.1.0.15 through 6.1.0.21: - If you are not already at Fix Pack 19 (6.1.0.19) or later, Upgrade to Fix Pack 19 or later, and then
- Apply Interim fix APAR PK75992
--OR-- - Apply Fix Pack 23 or later.
For V6.0.2.25 through 6.0.2.31: - If you are not already at Fix Pack 27 (6.0.2.27) or later, Upgrade to Fix Pack 27 or later, and then
- Apply Interim Fix APAR PK75992
--OR-- - Apply Fix Pack 33 (6.0.2.33) or later.
For IBM WebSphere Application Server for i5/OS: For V7.0 through 7.0.0.1:
For V6.1.0.19 through 6.1.0.21:
For V6.1.0.15 through 6.1.0.17:
For V6.0.2.27 through 6.0.2.31: - Apply Interm Fix APAR PK75992
--OR-- - Apply the WebSphere Application Server PTF group which includes Fix Pack 35 (6.0.2.35) or later, according to the PTF group instructions (6.0.2.35 is targeted for availability early June 2009).
Note: Fix Packs 25, 29 and 33 are not provided for i5/OS.
For IBM WebSphere Application Server for z/OS: For V7.0 through 7.0.0.1: - Apply APAR PK75992 (in PK81944) with PTFs for 7.0.0.3 or later.
For V6.1.0.15 through 6.1.0.22: - Apply APAR PK75992 (in PK81211) with PTFs for 6.1.0.23 or later.
For V6.0.2.27 through 6.0.2.31: - Apply APAR PK75992 (in PK79233) with PTFs for 6.0.2.33 or later.
Additional documentation: For additional details and information on WebSphere Application Server product updates: | | | | | | | | Cross Reference information | | Segment | Product | Component | Platform | Version | Edition | | Application Servers | WebSphere Application Server for z/OS | Web Services Security | OS/390, z/OS | 7.0, 6.1, 6.0 | | | Application Servers | WebSphere Application Server for z/OS | | z/OS | 7.0, 6.1, 6.0 | |
| | |
|
|
| IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. |
|
|
|
|
| Please take a moment to complete this form to help us better serve you. |
|
 |
|
|
|
|
|
|
| Product categories: |
|
| | Software | |
| | Application Servers | |
| | Distributed Application & Web Servers | |
| | WebSphere Application Server for z/OS | |
| | Web Services Security | |
|
| Operating system(s): |
| |
AIX, HP-UX, IBM i, Linux, Solaris, Windows
|
|
| Software version: |
| |
6.0.2.25, 6.0.2.27, 6.0.2.29, 6.0.2.31, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 7.0, 7.0.0.1
|
|
| Software edition: |
| |
Base, Express, Network Deployment
|
|
| Reference #: |
| |
1367223
|
|
| IBM Group: |
| | Software Group |
|
| Modified date: |
| | 2009-07-08 |
|
|
